Privacy law falls short in age of proliferating medical devices

HIPAA apparently doesn't cover patient access to defibrillator data
Tools

Who owns the data produced from cardiac monitoring devices? The devices are proliferating as vendors make them ever smaller, improving patient comfort and care for heart disorders.

But the devices apparently fall outside U.S. privacy law, according to a Wall Street Journal article detailing how a Tennessee defibrillator patient has been unable to get access to the data from vendor Medtronic. The vendor says its clients are physicians and hospitals, and giving information to patients would require regulatory approval. Yet Medtronic is among the companies trying to monetize the data from cardiac monitors. Medtronic executive Ken Riff, at a July industry event, called these kinds of data "the currency of the future," the Journal reports.

Medtronic sends a summary of the data to the patient's physician. Tennessee patient Amanda Hubbard had not been seeing her doctor often because her insurance expired. She eventually made an appointment with her physician and learned that an electrode had become dislodged, something she said she could have learned much earlier if she had access to her own data.

Medtronic says that to release raw data to patients, it would have to come up with a way to present the data in a format that patients would understand, then seek approval from the U.S. Food and Drug Administration. It hasn't done so, it says, because there's been little demand.

HIPAA gives patients the right to information held by doctors and hospitals, but because the data goes to the vendor, it falls outside the privacy requirements--just one example of how HIPAA hasn't kept up with technology, according to the article. Even smartphone apps and over-the-counter monitors raise questions about the definition of medical records, the article says.

While some believe patients should receive heart-monitor information from their physicians, who can better explain it and allay concerns, patient advocates insist that patients themselves should own their data.

Device makers do face some restrictions, including a ban on selling identifiable information to a marketing company. However, just this week, the U.S. Department of Health & Human Services' Office for Civil Rights said that neither the expert determination method nor the safe harbor method of de-identifying patient data is 100 percent effective.

A recent study published in the Journal of the American Medical Informatics Association found patients want strict control over the information in their electronic health records. Earlier this month, the American Academy of Pediatrics called for the overhaul of EHR systems to better protect teens' privacy.

To learn more:
- read the WSJ article

Related Articles:
Patients want 'granular' privacy control of electronic health info
Hospitals overly cautious with HIPAA when authorities request patient info
Market for tiny heart-monitoring devices driven by less invasive procedures
OCR: No fail-safe for de-identifying patient info